[<prev] [next>] [day] [month] [year] [list]
Message-ID: <237868876.20090518173723@Zoller.lu>
Date: Mon, 18 May 2009 17:37:23 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq <bugtraq@...urityfocus.com>,
full-disclosure <full-disclosure@...ts.grok.org.uk>,
<info@...cl.etat.lu>, <vuln@...unia.com>, <cert@...t.org>,
<nvd@...t.gov>, <cve@...re.org>
Subject: [TZO-22-2009] Bitdefender generic evasion of heuristics (for PDF)
________________________________________________________________________
From the low-hanging-fruit-department
Bitdefender generic evasion of heuristics (for PDF)
________________________________________________________________________
CHEAP Plug :
************************************************************************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************************************************************************
Release mode: Coordinated but limited disclosure.
Ref : [TZO-23-2009] - Bitdefender generic PDF evasion (heuristics)
WWW : http://blog.zoller.lu/2009/04/advisory-bitdefender-generic-evasion.html
Vendor : http://www.bitdefender.com
Status : Patched (with sig update after 13.05.2009)
CVE : none provided
Credit : none
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : 5 days
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- Bitdefender Antivirus 2009
- Bitdefender Internet Security 2009
- Bitdefender Total Security 2009
- Bitdefender Small Office Security
- Bitdefender for Fileservers
- Bitdefender for Samba
- Bitdefender for Sharepoint
- Bitdefender Security for Exchange
- Bitdefender Security for Mailservers
- Bitdefender for ISA Servers
- Bitdefender Client security
Bundles:
- BitDefender Business Security
- Bitdefender Antivirus for Unices
- Bitdefender Corporate Security
- Bitdefender SBS Security
I. Background
~~~~~~~~~~~~~
Quote: "BitDefenderā¢ provides security solutions to satisfy the protection requirements
of today's computing environment, delivering effective threat management for
over 41 million home and corporate users in more than 100 countries. BitDefender,
a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in
Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and
Fort Lauderdale (FL), USA."
II. Description
~~~~~~~~~~~~~~~
The heuristics can be bypassed by a special formatted PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a
bypass that relies on archive structures but relies on evading certain
code paths in the AV engine "through various means".
III. Impact
~~~~~~~~~~~
To know more about the impact and type of "evasion", I updated the
description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
Interestingly this opens the possibility to evade at scan time and
run-time.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
08/05/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date.
13/05/2009 : Bitdefender notifies my that the patch was deployed.
[1]
Bitdefender is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/SOFTWIN to facilate communication and reduce lost reports.
Powered by blists - more mailing lists